EHRs are rapidly changing, and many practices are intimidated by the regulations designed to keep EHR systems compliant with federal security and patient privacy requirements.
The Health Insurance Portability and Accountability Act does not have to be scary or impossible to understand. By taking the time to evaluate your EHR system for HIPAA compliance, you will be reducing your risk of making costly mistakes.
Know the basic HIPAA requirements
Covering patient privacy and security, HIPAA standards apply to organizations and agencies that are determined by law to be “covered entities” or “business associates” and are working with patient information, according to the U.S. Department of Health and Human Services.1 This definition includes healthcare providers, outside companies hired to help with patient information, and other groups. Chiropractic practices are part of these standards.
HIPAA standards go beyond EHR, so reviewing your practice’s procedures and paperwork for compliance is a smart best-practice. For more help, the U.S. Department of Health and Human Services has a website with detailed HIPAA requirements and additional resources for healthcare providers. Since HIPAA standards may change, be sure to review the official requirements regularly.
Understand the HIPAA Security Rule
Your EHR must fulfill the requirements of the HIPAA Security Rule by having “administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”²
This rule, by outlining specific areas where your EHR must be compliant, provides you with ideas for improving the security of your software system and reducing your risk of information security problems.
To improve your compliance, be sure to address each area individually:³
- Administrative safeguards: Have procedures and policies that prevent employees and other staff from misusing patient information. Regularly conduct your own risk analysis to identify and eliminate potential security breaches. Review the U.S. Department of Health and Human Services’ requirements for a risk analysis.
- Physical safeguards: Protect patient information from outside access and from natural disasters, physical damage to data, and other physical problems by setting appropriate policies and using physical or technological barriers.
- Organizational standards: If outside organizations access your patient information (such as an EHR vendor or billing and coding vendor), use contracts and written policies to specify how data is used and protected.
- Maintain written policies and procedures: You must maintain documentation, in writing, of your policies and procedures that are used by your practice to comply with the Security Rule. This documentation must be saved for at least six years after the policies and procedures are created or six years after their last effective date. This documentation should also include “written records of required actions, activities, or assessments.”³ These documents should be updated regularly to account for organizational and other changes.
For more information, you can read about the Security Rule at the U.S. Health and Human Services website.
Find out if your EHR vendor is compliant
Many EHR vendors are already HIPAA compliant and take these standards very seriously. Asking your vendor about how they maintain compliance, however, is an important part of maintaining your own compliance with the Security Rule. You must also have a written, contractual agreement outlining how your vendor maintains the security of patient information.³
Be sure that you and your staff are properly trained in your EHR’s features and know how to update your software, use security features, and keep patient data private. Your software may require special settings before it is fully secure. If necessary, ask your vendor for more information about how to control and use security features.
When choosing a new vendor, use the Certified Health IT Product List of EHR products that are certified by the Secretary of Health and Human Services. To earn this certification, vendors must submit their software to testing and verification. These products must meet specific guidelines for security and functionality, including compliance with HIPAA requirements.³
Review your practice regularly
By reviewing your EHR and having a plan in place, you can stay HIPAA compliant. Using available online resources and outside help if you need it, create your own HIPAA risk analysis and find ways to protect your practice and your patients.
1 U.S. Department of Health and Human Services. “For Covered Entities and Business Associates.” http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. Accessed November 2015.
2 U.S. Department of Health and Human Services. “The Security Rule.” http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html. Accessed November 2015.
3 The Office of the National Coordinator for Health Information Technology. “Understanding Electronic Health Records, the HIPAA Security Rule, and Cybersecurity.” https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-4.pdf. Published April 2015. Accessed November 2015.